Fwd: [Support request] Tigase XMPP server should not pass through non-well-formed XML

Mark Doliner mark at kingant.net
Tue Aug 17 19:21:58 EDT 2010

---------- Forwarded message ----------
From: Mark Doliner <mark at kingant.net>
Date: Tue, Aug 17, 2010 at 4:20 PM
Subject: Re: [Support request] Tigase XMPP server should not pass
through non-well-formed XML
To: Artur Hefczyc <artur.hefczyc at tigase.org>

Excellent, thanks.  Yes, 0x0b is invalid in XML 1.0 according to the
spec.  The only allowed characters are:
#x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]

I think maybe some of the characters which are invalid in XML 1.0 are
valid in 1.1, but it seems like XMPP might mandate XML 1.0?  I
couldn't find any info in the original RFC, but section 11.8 of Peter
Saint-Andre's proposed draft says, "XMPP is an application profile of
XML 1.0.  A future version of XMPP might be defined in terms of higher
versions of XML, but this specification defines XMPP only in terms of
XML 1.0."


On Tue, Aug 17, 2010 at 3:59 PM, Artur Hefczyc <artur.hefczyc at tigase.org> wrote:
> Hi Mark,
> Thank you for your message and letting me know about the problem.
> I will look at it at the earliest possible time.
> By the way is really the 0x0b character an invalid XML character?
> Artur
> On Aug 17, 2010, at 2:25 PM, Tigase.org Support wrote:
>> Mark Doliner sent a message using the contact form at
>> http://www.tigase.org/contact.
>> Hi!  As far as I've been able to tell, XMPP servers should disconnect clients
>> that send illegal XML characters[1].  And more importantly, XMPP servers
>> should NOT pass through illegal XML characters.
>> The original RFC3920[2] is a little vague on this issue (search for
>> "well-formed"), but Peter Saint-Andre's current draft revision[3] is fairly
>> clear:
>> "An XMPP entity MUST NOT accept data that is not XML-well-formed; instead it
>> MUST return an <xml-not-well-formed/> stream error and close the stream over
>> which the data was received."
>> I'm able to reproduce this bug using Pidgin 2.7.3 in Linux.
>> 1. Start two instances of Pidgin (if you're using a single computer then you
>> will probably need to use the --multiple flag)
>> 2. In each instance, login to a separate account on a single Tigase server (I
>> used tigase.im)
>> 3. In one of the instances, set your status to "away" and type the message
>> "test" then <ctrl>+<shift>+u then 013 then space.  This will insert the ASCII
>> character 013 aka 0x0b aka vertical tab
>> 4. The other instance will be disconnected
>> Background: I'm a developer on the Pidgin IM client.  We had a bug reported
>> to us that Pidgin clients disconnect if someone in your buddy list inserts an
>> illegal XML character into their status message.  I believe Pidgin's behavior
>> is correct, according to the XMPP standards.  This effectively allows clients
>> connected to a Tigase server to perform denial of service attacks against
>> each other, which is why I believe this is somewhat of a security issue.
>> If you have any questions, or disagree with my conclusions, or if there is a
>> better place for me to report this, please let me know and we can discuss
>> further.
>> Thanks,
>> Mark
>> [1] http://www.w3.org/TR/2008/REC-xml-20081126/#charsets
>> [2] http://xmpp.org/rfcs/rfc3920.html
>> [3] http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-12#section-11.3
>> Report as inappropriate:
>> http://www.tigase.org/mollom/report/session/100817f40ef0230e10
> Artur
> --
> Artur Hefczyc
> http://www.tigase.org/
> http://artur.hefczyc.net/

More information about the security mailing list